{ pkgs, ... }:

let
  inherit (import ./ssh-keys.nix pkgs)
    snakeOilPrivateKey
    snakeOilPublicKey
    snakeOilEd25519PrivateKey
    snakeOilEd25519PublicKey
    ;
in
{
  name = "openssh";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ aszlig ];
  };

  nodes = {

    server =
      { ... }:

      {
        services.openssh.enable = true;
        security.pam.services.sshd.limits = [
          {
            domain = "*";
            item = "memlock";
            type = "-";
            value = 1024;
          }
        ];
        users.users.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    server-allowed-users =
      { ... }:

      {
        services.openssh = {
          enable = true;
          settings.AllowUsers = [
            "alice"
            "bob"
          ];
        };
        users.groups = {
          alice = { };
          bob = { };
          carol = { };
        };
        users.users = {
          alice = {
            isNormalUser = true;
            group = "alice";
            openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
          };
          bob = {
            isNormalUser = true;
            group = "bob";
            openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
          };
          carol = {
            isNormalUser = true;
            group = "carol";
            openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
          };
        };
      };

    server-lazy =
      { ... }:

      {
        services.openssh = {
          enable = true;
          startWhenNeeded = true;
        };
        security.pam.services.sshd.limits = [
          {
            domain = "*";
            item = "memlock";
            type = "-";
            value = 1024;
          }
        ];
        users.users.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    server-lazy-socket = {
      virtualisation.vlans = [
        1
        2
      ];
      services.openssh = {
        enable = true;
        startWhenNeeded = true;
        ports = [ 2222 ];
        listenAddresses = [ { addr = "0.0.0.0"; } ];
      };
      users.users.root.openssh.authorizedKeys.keys = [
        snakeOilPublicKey
      ];
    };

    server-localhost-only =
      { ... }:

      {
        services.openssh = {
          enable = true;
          listenAddresses = [
            {
              addr = "127.0.0.1";
              port = 22;
            }
          ];
        };
      };

    server-localhost-only-lazy =
      { ... }:

      {
        services.openssh = {
          enable = true;
          startWhenNeeded = true;
          listenAddresses = [
            {
              addr = "127.0.0.1";
              port = 22;
            }
          ];
        };
      };

    server-match-rule =
      { ... }:

      {
        services.openssh = {
          enable = true;
          listenAddresses = [
            {
              addr = "127.0.0.1";
              port = 22;
            }
            {
              addr = "[::]";
              port = 22;
            }
          ];
          extraConfig = ''
            # Combined test for two (predictable) Match criterias
            Match LocalAddress 127.0.0.1 LocalPort 22
              PermitRootLogin yes

            # Separate tests for Match criterias
            Match User root
              PermitRootLogin yes
            Match Group root
              PermitRootLogin yes
            Match Host nohost.example
              PermitRootLogin yes
            Match LocalAddress 127.0.0.1
              PermitRootLogin yes
            Match LocalPort 22
              PermitRootLogin yes
            Match RDomain nohost.example
              PermitRootLogin yes
            Match Address 127.0.0.1
              PermitRootLogin yes
          '';
        };
      };

    server-no-openssl =
      { ... }:
      {
        services.openssh = {
          enable = true;
          package = pkgs.opensshPackages.openssh.override {
            linkOpenssl = false;
          };
          hostKeys = [
            {
              type = "ed25519";
              path = "/etc/ssh/ssh_host_ed25519_key";
            }
          ];
          settings = {
            # Since this test is against an OpenSSH-without-OpenSSL,
            # we have to override NixOS's defaults ciphers (which require OpenSSL)
            # and instead set these to null, which will mean OpenSSH uses its defaults.
            # Expectedly, OpenSSH's defaults don't require OpenSSL when it's compiled
            # without OpenSSL.
            Ciphers = null;
            KexAlgorithms = null;
            Macs = null;
          };
        };
        users.users.root.openssh.authorizedKeys.keys = [
          snakeOilEd25519PublicKey
        ];
      };

    server-no-pam =
      { pkgs, ... }:
      {
        services.openssh = {
          enable = true;
          package = pkgs.opensshPackages.openssh.override {
            withPAM = false;
          };
          settings = {
            UsePAM = false;
          };
        };
        users.users.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    server-null-pam =
      { pkgs, ... }:
      {
        services.openssh = {
          enable = true;
          package = pkgs.opensshPackages.openssh.override {
            withPAM = false;
          };
          settings = {
            UsePAM = null;
          };
        };
        users.users.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    server-sftp =
      { pkgs, ... }:
      {
        services.openssh = {
          enable = true;
          extraConfig = ''
            Match Group sftponly
              ChrootDirectory /srv/sftp
              ForceCommand internal-sftp
          '';
        };

        users.groups = {
          sftponly = { };
        };
        users.users = {
          alice = {
            isNormalUser = true;
            createHome = false;
            group = "sftponly";
            shell = "/run/current-system/sw/bin/nologin";
            openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
          };
        };
      };

    server-no-sshd-with-key =
      { pkgs, ... }:
      {
        services.openssh.generateHostKeys = true;
        users.users.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    client =
      { ... }:
      {
        virtualisation.vlans = [
          1
          2
        ];
      };

  };

  testScript = ''
    start_all()

    server.wait_for_unit("sshd", timeout=30)
    server_allowed_users.wait_for_unit("sshd", timeout=30)
    server_localhost_only.wait_for_unit("sshd", timeout=30)
    server_match_rule.wait_for_unit("sshd", timeout=30)
    server_no_openssl.wait_for_unit("sshd", timeout=30)
    server_no_pam.wait_for_unit("sshd", timeout=30)
    server_null_pam.wait_for_unit("sshd", timeout=30)
    server_null_pam.fail("journalctl -u sshd.service | grep 'Unsupported option UsePAM'")
    server_sftp.wait_for_unit("sshd", timeout=30)

    server_lazy.wait_for_unit("sshd.socket", timeout=30)
    server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
    server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)

    # sshd-keygen is a oneshot unit, so just wait for multi-user.target, which
    # pulls it in.
    server_no_sshd_with_key.wait_for_unit("multi-user.target", timeout=30)

    with subtest("manual-authkey"):
        client.succeed(
            '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'
        )
        public_key = client.succeed(
            "${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519"
        )
        public_key = public_key.strip()
        client.succeed("chmod 600 /root/.ssh/id_ed25519")

        server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
        server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))

        client.wait_for_unit("network.target")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2",
            timeout=30
        )
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024",
            timeout=30
        )

        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'echo hello world' >&2",
            timeout=30
        )
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'ulimit -l' | grep 1024",
            timeout=30
        )

    with subtest("socket activation on a non-standard port"):
        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        # The final segment in this IP is allocated according to the alphabetical order of machines in this test.
        client.succeed(
            "ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.5 true",
            timeout=30
        )

    with subtest("configured-authkey"):
        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true",
            timeout=30
        )
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true",
            timeout=30
        )

    with subtest("localhost-only"):
        server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
        server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")

    with subtest("match-rules"):
        server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'")

    with subtest("allowed-users"):
        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server-allowed-users true",
            timeout=30
        )
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server-allowed-users true",
            timeout=30
        )
        client.fail(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
            timeout=30
        )

    with subtest("no-openssl"):
        client.succeed(
            "cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-openssl true",
            timeout=30
        )

    with subtest("no-pam"):
        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
            timeout=30
        )

    with subtest("null-pam"):
        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-null-pam true",
            timeout=30
        )

    with subtest("sftp"):
        server_sftp.succeed(
          "mkdir -p /srv/sftp/uploads"
        )
        server_sftp.succeed(
          "chown alice:sftponly /srv/sftp/uploads"
        )
        server_sftp.succeed(
          "chmod 0755 /srv/sftp/uploads"
        )

        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")

        client.succeed(
            "echo 'hello-sftp-world' > test-file"
        )
        client.succeed(
            "echo 'put test-file uploads/' > put-batch-file"
        )

        client.succeed(
            "sftp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil -b put-batch-file alice@server-sftp",
            timeout=30
        )

        server_sftp.wait_for_file("/srv/sftp/uploads/test-file")

    with subtest("keygen without sshd"):
        client.fail(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@server-no-sshd-with-key true",
            timeout=30
        )
        server_no_sshd_with_key.succeed("test -e /etc/ssh/ssh_host_ed25519_key")
        server_no_sshd_with_key.succeed("test -e /etc/ssh/ssh_host_ed25519_key.pub")
        server_no_sshd_with_key.fail("pgrep sshd")

        # Validate the above check for sshd using pgrep does pass on a server
        # that should have sshd running, just to prove it's a useful test.
        server.succeed("pgrep sshd")

    # None of the per-connection units should have failed.
    server_lazy.fail("systemctl is-failed 'sshd@*.service'")
  '';
}
